Backup solution for authentication server down

Unanswered Question
Feb 1st, 2006

Is there any good backup solution for authentication server down?

We are using ACS and about 100 AP1131AGs.

If ACS is down, all wireless client are not able to access network.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 3 (2 ratings)
mchin345 Tue, 02/07/2006 - 09:22

If the server is reported as offline, the concentrator has not received an Address Resolution Protocol (ARP) response or a reply to an authentication request. Verify the server is functioning and reachable through the concentrator.

The hardware client is failing over to a backup server or a failed Domain Name System (DNS) lookup for the primary server that caused the system to initialize a backup server. A tunnel initiated after this point will be aimed at the specified backup server.

rduke Fri, 02/17/2006 - 07:53

I am considering the same issue, but only have about 20 APs. We have 2 Radius servers, one is local the other is across the WAN. Performance is about the same across the WAN so it's not a problem when the APs fail over to my backup radius server. On the other hand, I have some units which are in manufacturing so they are more critical. If one server had a problem and the WAN went down at the same time, I could have a serious problem. I configured one access point with the local radius server enabled and one user name on it. In the unlikely yet possible event that both radius servers are unavailable, the access points will fall down to the third radius server (another access point), and I can use one user name to authenticate my critical clients. Since both radius servers have to be down for the APs to authenticate to the local AP, that logon will not function normally. On the client side, the normal profile will use the radius account, but the backup profile will have the local AP login which needs to be LEAP or EAP-FAST enabled. It will only work when the radius servers are down so it is fairly secure, but not secure enough for some installations. I plan to change the password on the AP when it is not needed just to be sure it can't be used. The client profiles should automatically connect if the first one fails. It's not ideal but works. If you can't get a second radius server you could do something similar.

I have one user name that works with EAP-FAST to radius and to the AP's local radius. That one user profile works on all three so a second client profile is not needed for that user name. The password must be kept syncronized though.

R Duke

jinsvarghese Wed, 06/27/2007 - 09:34

Hi There,

Even we are looking out for a backup solution.

Here is our design

we have two vlan and two ssid created. clients have to authenticate against windows AD via Cisco ACS. However, windows AD and Cisco ACS reside across the wan. Whenever, there is failure in WAN link, user are unable to authenticate.

Is there any solution whereby, clients have to authenticate locally in case of WAN failure.

Thanks

Actions

Login or Register to take actions

This Discussion

Posted February 1, 2006 at 9:34 PM
Stats:
Replies:3 Avg. Rating:3
Views:183 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard